How to detect and stop DDoS attacks from the NTP AMP toolkit
As the security community scrambles to reduce the number of vulnerable NTP servers, attackers find ways to hit harder with fewer servers.
Fueled by the availability of new DDoS toolkits that make it simple from malicious actors to generate high-bandwidth, high-volume DDoS attacks against online targets, the NTP amplification attack method has surged in popularity.
With only a handful of vulnerable NTP servers, the current batch of NTP amplification attack toolkits enable malicious actors to launch 100 Gbps attacks – or larger. The most recent toolkit uses an NTP server’s own list of recent server connections – as many as 600 IP addresses – as the payload to create malicious traffic at the target site.
This DDoS threat advisory includes:
- Indicators of the use of the NTP Amplification toolkit
- Analysis of the source code
- Use of monlist as the payload
- The SNORT rule and target mitigation using ACL entries for attack targets
- Mitigation instructions for vulnerable NTP servers
- Statistics and payloads from two observed NTP Amplification DDoS attack campaigns
Register to download the full DDoS threat advisory >>>
Want PLXsert to protect you?
By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations like yours adopt best practices and make more informed, proactive decisions about DDoS threats. PLXsert offers a subscription service that provides current threat intelligence, infrastructure and defense evaluation, as well as post-attack forensics.
Download the NTP Amplification DDoS Threat Advisory
* Required field